Stuxnet: 'Moral crime' or proportionate response?
Security experts split on cyberwar
Regcast training : Hyper-V 3.0, VM high availability and disaster recovery
Delegates at the Black Hat conference in Las Vegas are sharply split on the merits (or otherwise) of malware like Stuxnet that can be used offensively to take down infrastructure.
Stuxnet was the first malware that was publicly acknowledged to have been designed to take down physical equipment – in this case, Siemens supervisory control and data acquisition (SCADA) systems. According to recent reports it was developed by the US and Israel as part of Operation Olympic Games, a malware program started by former President Bush and expanded by the current administration.
"I think what you're talking about is a moral crime," said Marcus Ranum, faculty member of the Institute for Applied Network Security. "What you're really doing is putting civilian infrastructure on the front line in this non-existent war. The military is basically saying 'we've saved you a little old fashioned bombing - you should be happy,' but that's not appropriate."
Ranum's position brought applause from the audience, but others were less impressed. Black Hat founder Jeff Moss said that he was more supportive of using malware in this way, since it provided military options without the need to endanger human life.
"I've always thought that these were tools in the spectrum of proportional force in between harsh words and dirty looks and Mark II bombs," said Moss. "Now instead of blowing up plants and killing people you can attack the equipment, and this is another notch on the proportionality meter. If you agree with that or not it's a good tool to allow nation states to exert force without having to blow people up."
Ultimately, however, such debate is slightly pointless, F-Secure's top security man, Mikko Hypponen told The Register. The industry should focus instead on practicalities.
"Ultimately the ethics of this don't really matter – the decision has been made and this kind of stuff is going to be unavoidable." ®
COMMENTS
"Moral crime"?! You've got to be kidding. It was a military action. According to international law, all wars of aggression are crimes. Not "moral" crimes - crimes pure and simple. Iran did not attack the USA or Israel in any way - cybernetically or otherwise. Therefore, any kind of military action against it was criminal.
As for the "how do we know the plant wasn't making nukes" quip - stop swallowing the mainstream media propaganda. We KNOW that the plant wasn't making nukes, because all the major intelligence outfits of USA and the UK told us so. Iran isn't trying to make a nuclear weapon. Iran gave up the idea years ago. The spiritual leader of Iran issued a religious ban against nuclear weapons. It's just the politicians of the USA and Israel who are hungry to find any reason to attack Iran, change its regime and steal its oil. Worked so well in Iraq, didn't it? Oh, wait a minute...
Mikko's comment is disingenuous, too. Decades ago "decisions were made" to use weapons of mass destruction - poisonous gas, nukes, etc. (Remember which was the only country to use nukes? Against civilian targets, at that?) Does that also mean that their use "does not matter" - i.e., is not a crime against humanity?!
Oh, and about "proportional response". The USA (and some other countries) have stated that they will consider a cyber-attack on their infrastructure as an act of war and will feel free to respond with conventional weapons. Does that mean that Iran has now the right to bomb the USA and Israel?
Arrggh, what the world has become! :-( When I started working in this field, virus were just malicious pranks created by juveniles. I was just helping their innocent victims. Nowadays malware is a weapon used by organized crime and the military (is there really a distinction between the two?!). I don't want to be part of this any more! :-(((
Moral Crime ?
It depends. If done by a state then it was an act of war. If no state of war existed, then it was a crime, moral or otherwise.
And that's the danger. It's all too easy to launch such an attack and believe that no-one is getting hurt, but the victim might feel justified in considering physical violence to be a proportionate response.
I think they're playing with fire.
Re: Moral Crime ?
Didn't the US recently add 'cyber' attacks to that which constitutes an act of war?
ie. Had any country sponsored a Stuxnet-style virus aimed at disabling nuclear facilities in the US, then the US would feel justified declaring war on said sponsor. And I would wager that declaring war on said sponsor would be, primarily, non-cyber attacks.
IT infrastructure monitoring strategies
Agentless Backup is Not a Myth
Top 10 SIEM implementer’s checklist
Steps to Take Before Choosing a Business Continuity Partner
Requirements Checklist for Choosing a Cloud Backup and Recovery Service Provider
